Fix race in receive callback for drivers on me client
bus, that results in null dereferencing and improve
the error handling.
The first patch 'mei: protect mei_cl_mtu from null dereference'
itself is sufficient to prevent the failure and is intended
for stable.
Alexander Usyskin (3):
mei: protect mei_cl_mtu from null dereference
mei: bus: do not start a read for disconnected clients
mei: bus: deinitialize callback functions on init failure
drivers/misc/mei/bus.c | 18 ++++++++++++++----
drivers/misc/mei/client.h | 4 ++--
2 files changed, 16 insertions(+), 6 deletions(-)
--
2.25.4
From: Alexander Usyskin <[email protected]>
A receive callback is queued while the client is still connected
but can still be called after the client was disconnected. Upon
disconnect cl->me_cl is set to NULL, hence we need to check
that ME client is not-NULL in mei_cl_mtu to avoid
null dereference.
Cc: <[email protected]>
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
---
drivers/misc/mei/client.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/mei/client.h b/drivers/misc/mei/client.h
index 64143d4ec758..9e08a9843bba 100644
--- a/drivers/misc/mei/client.h
+++ b/drivers/misc/mei/client.h
@@ -182,11 +182,11 @@ static inline u8 mei_cl_me_id(const struct mei_cl *cl)
*
* @cl: host client
*
- * Return: mtu
+ * Return: mtu or 0 if client is not connected
*/
static inline size_t mei_cl_mtu(const struct mei_cl *cl)
{
- return cl->me_cl->props.max_msg_length;
+ return cl->me_cl ? cl->me_cl->props.max_msg_length : 0;
}
/**
--
2.25.4
From: Alexander Usyskin <[email protected]>
Avoid queuing reads and registering rx callbacks in
case the client is not connected, to prevent null
dereferencing and memory leaks.
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
---
drivers/misc/mei/bus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 9cdaa7f3af23..1a54bf3ed0c3 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -276,7 +276,8 @@ static void mei_cl_bus_rx_work(struct work_struct *work)
cldev->rx_cb(cldev);
mutex_lock(&bus->device_lock);
- mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+ if (mei_cl_is_connected(cldev->cl))
+ mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
mutex_unlock(&bus->device_lock);
}
@@ -364,7 +365,10 @@ int mei_cldev_register_rx_cb(struct mei_cl_device *cldev, mei_cldev_cb_t rx_cb)
INIT_WORK(&cldev->rx_work, mei_cl_bus_rx_work);
mutex_lock(&bus->device_lock);
- ret = mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+ if (mei_cl_is_connected(cldev->cl))
+ ret = mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+ else
+ ret = -ENODEV;
mutex_unlock(&bus->device_lock);
if (ret && ret != -EBUSY)
return ret;
--
2.25.4
From: Alexander Usyskin <[email protected]>
If the initialization procedure for receive or receive callback
registration on the client bus has failed the caller can't re-run it.
Deinitilize the callback pointers and cancel the work
to allow the caller to retry.
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
---
drivers/misc/mei/bus.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 1a54bf3ed0c3..76aa0e93748a 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -370,8 +370,11 @@ int mei_cldev_register_rx_cb(struct mei_cl_device *cldev, mei_cldev_cb_t rx_cb)
else
ret = -ENODEV;
mutex_unlock(&bus->device_lock);
- if (ret && ret != -EBUSY)
+ if (ret && ret != -EBUSY) {
+ cancel_work_sync(&cldev->rx_work);
+ cldev->rx_cb = NULL;
return ret;
+ }
return 0;
}
@@ -405,8 +408,11 @@ int mei_cldev_register_notif_cb(struct mei_cl_device *cldev,
mutex_lock(&bus->device_lock);
ret = mei_cl_notify_request(cldev->cl, NULL, 1);
mutex_unlock(&bus->device_lock);
- if (ret)
+ if (ret) {
+ cancel_work_sync(&cldev->notif_work);
+ cldev->notif_cb = NULL;
return ret;
+ }
return 0;
}
--
2.25.4